WordPress Plugin Vulnerabilities

MStore API < 3.9.1 - Authentication Bypass

Description

The plugin does not properly verify the user provided when redemption coupons via its REST API, allowing unauthenticated users to login as an arbitrary user by providing their ID

Affects Plugins

Plugin icon
mstore-api
Fixed in 3.9.1

References

CVE
CVE-2023-2733

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
456952ad-2ba3-4142-aef4-67a56bc13455

Timeline

Publicly Published
2023-05-17 (about 2 years ago)
Added
2023-05-26 (about 2 years ago)
Last Updated
2023-05-26 (about 2 years ago)

Other

Published
Title
Published
2025-04-07
Title
Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
Published
2017-12-03
Title
Apocalypse Meow 21.1.3-21.2.7 - BCrypt Authentication Bypass
Published
2024-11-14
Title
Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
Published
2025-09-29
Title
LatePoint < 5.2.0 - Unauthenticated Authentication Bypass
Published
2021-11-02
Title
WP DSGVO Tools (GDPR) < 3.1.24 - Unauthenticated Arbitrary Post Deletion